Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    89s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/09/2022, 02:31 UTC

General

  • Target

    a4babb0e052f972640a840da092cc2b70544f04eb6d3c5fb0699747093c85cb1.exe

  • Size

    2.4MB

  • MD5

    ee577c6818e4c4fdfac6221a7678453e

  • SHA1

    39b172bc8d5f47e512e0ba90f70ce21661618273

  • SHA256

    a4babb0e052f972640a840da092cc2b70544f04eb6d3c5fb0699747093c85cb1

  • SHA512

    935d466a1de6d03ed5f8287bae32b52d86451c83a1d1d88cc99951d9b8f475b152fc07763d705417faf7386d1327cc033490bbb6a183d13f34a2adb3b7ddf198

  • SSDEEP

    49152:dRkVU7z3NhvRaZhTm6mxd2YYglcAxRXK/poKGheD7YJ4zSreZMn2j+w2D:dPv3z6hTN/YYETxhK/WKGheD7YJ4zKey

Malware Config

Signatures

  • joker

    Joker is an Android malware that targets billing and SMS fraud.

  • detect oss ak 2 IoCs

    oss ak information detected.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a4babb0e052f972640a840da092cc2b70544f04eb6d3c5fb0699747093c85cb1.exe
    "C:\Users\Admin\AppData\Local\Temp\a4babb0e052f972640a840da092cc2b70544f04eb6d3c5fb0699747093c85cb1.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:3464

Network

  • flag-us
    DNS
    update-liulanqi-45691295-163music.oss-cn-shanghai.aliyuncs.com
    a4babb0e052f972640a840da092cc2b70544f04eb6d3c5fb0699747093c85cb1.exe
    Remote address:
    8.8.8.8:53
    Request
    update-liulanqi-45691295-163music.oss-cn-shanghai.aliyuncs.com
    IN A
    Response
    update-liulanqi-45691295-163music.oss-cn-shanghai.aliyuncs.com
    IN A
    106.14.229.99
  • flag-cn
    GET
    https://update-liulanqi-45691295-163music.oss-cn-shanghai.aliyuncs.com/wxr-notice-update.html
    a4babb0e052f972640a840da092cc2b70544f04eb6d3c5fb0699747093c85cb1.exe
    Remote address:
    106.14.229.99:443
    Request
    GET /wxr-notice-update.html HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Accept-Language: zh-cn
    Referer: https://update-liulanqi-45691295-163music.oss-cn-shanghai.aliyuncs.com/wxr-notice-update.html
    User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
    Host: update-liulanqi-45691295-163music.oss-cn-shanghai.aliyuncs.com
    Response
    HTTP/1.1 404 Not Found
    Server: AliyunOSS
    Date: Thu, 29 Sep 2022 02:32:36 GMT
    Content-Type: application/xml
    Content-Length: 304
    Connection: keep-alive
    x-oss-request-id: 633503C40BFD853936D95E63
    x-oss-server-time: 2
  • flag-us
    DNS
    ntp.ntsc.ac.cn
    a4babb0e052f972640a840da092cc2b70544f04eb6d3c5fb0699747093c85cb1.exe
    Remote address:
    8.8.8.8:53
    Request
    ntp.ntsc.ac.cn
    IN A
    Response
    ntp.ntsc.ac.cn
    IN A
    114.118.7.163
    ntp.ntsc.ac.cn
    IN A
    114.118.7.161
  • flag-us
    DNS
    oss.aliyuncs.com
    a4babb0e052f972640a840da092cc2b70544f04eb6d3c5fb0699747093c85cb1.exe
    Remote address:
    8.8.8.8:53
    Request
    oss.aliyuncs.com
    IN A
    Response
    oss.aliyuncs.com
    IN A
    118.178.29.5
  • flag-cn
    GET
    http://oss.aliyuncs.com/
    a4babb0e052f972640a840da092cc2b70544f04eb6d3c5fb0699747093c85cb1.exe
    Remote address:
    118.178.29.5:80
    Request
    GET / HTTP/1.1
    Connection: Keep-Alive
    Date: Wed, 28 Sep 2022 18:32:36 GMT
    Accept: */*
    Authorization: OSS LTAI4FzpPaBn74nsma1FK9JZ:jt77GonvMED8eM2i2g0vSyXCzpI=
    User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
    Host: oss.aliyuncs.com
    Response
    HTTP/1.1 403 Forbidden
    Server: AliyunOSS
    Date: Thu, 29 Sep 2022 02:32:39 GMT
    Content-Type: application/xml
    Content-Length: 446
    Connection: keep-alive
    x-oss-request-id: 633503C753BCC6383165A302
    x-oss-server-time: 1
  • 106.14.229.99:443
    https://update-liulanqi-45691295-163music.oss-cn-shanghai.aliyuncs.com/wxr-notice-update.html
    tls, http
    a4babb0e052f972640a840da092cc2b70544f04eb6d3c5fb0699747093c85cb1.exe
    1.1kB
    6.3kB
    10
    8

    HTTP Request

    GET https://update-liulanqi-45691295-163music.oss-cn-shanghai.aliyuncs.com/wxr-notice-update.html

    HTTP Response

    404
  • 118.178.29.5:80
    http://oss.aliyuncs.com/
    http
    a4babb0e052f972640a840da092cc2b70544f04eb6d3c5fb0699747093c85cb1.exe
    491 B
    802 B
    5
    3

    HTTP Request

    GET http://oss.aliyuncs.com/

    HTTP Response

    403
  • 20.189.173.5:443
    322 B
    7
  • 8.253.208.120:80
    322 B
    7
  • 8.253.208.120:80
    322 B
    7
  • 8.253.208.120:80
    322 B
    7
  • 8.8.8.8:53
    update-liulanqi-45691295-163music.oss-cn-shanghai.aliyuncs.com
    dns
    a4babb0e052f972640a840da092cc2b70544f04eb6d3c5fb0699747093c85cb1.exe
    108 B
    124 B
    1
    1

    DNS Request

    update-liulanqi-45691295-163music.oss-cn-shanghai.aliyuncs.com

    DNS Response

    106.14.229.99

  • 8.8.8.8:53
    ntp.ntsc.ac.cn
    dns
    a4babb0e052f972640a840da092cc2b70544f04eb6d3c5fb0699747093c85cb1.exe
    60 B
    92 B
    1
    1

    DNS Request

    ntp.ntsc.ac.cn

    DNS Response

    114.118.7.163
    114.118.7.161

  • 8.8.8.8:53
    oss.aliyuncs.com
    dns
    a4babb0e052f972640a840da092cc2b70544f04eb6d3c5fb0699747093c85cb1.exe
    62 B
    78 B
    1
    1

    DNS Request

    oss.aliyuncs.com

    DNS Response

    118.178.29.5

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3464-132-0x0000000000400000-0x0000000000718000-memory.dmp

    Filesize

    3.1MB

  • memory/3464-133-0x0000000000400000-0x0000000000718000-memory.dmp

    Filesize

    3.1MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.